By now, we all know that each of us is being monitored: All of our electronic communications, email, Internet traffic, cell phone transmissions, faxes, even landline (which is really all delivered via microwave towers these days) is being intercepted and recorded in massive data centers run by the NSA. There are probably other secret three-letter (or four-letter, depending on your viewpoint) agencies that we don’t even know about yet who function as backups to the ones we do know about.

It’s unfortunate that our government is forcing its citizens to learn the art of surveillance in order to protect our First Amendment rights under the United States Constitution. This is being done, purportedly, to protect us from terrorism. The truth — and this is known by those who are doing it — is that our government is out of control and fears that its criminal activities will be exposed. I’m not talking about what we already know, I’m talking about those deep, dark secrets that, if discovered, could bring the government down.

But, that’s for others to address and fix.

There have long existed techniques for jamming radio transmissions to cripple enemy communications in times of war. One of these techniques is the transmission of high power carrier signals containing nothing but noise spread across the known frequency band the enemy is using, making it impossible for the enemy to get any valid traffic through the noise. This principle is applicable to internet traffic with a twist.

One could simply record random atmospheric noise in MP3 files, encrypt them to make them look like something of interest and keep a steady stream of them flowing from one’s internet connection to the cloud. Done with sufficient volume, this would tend to mask most of your valid traffic, burying it in the noise, so the watchers would have to sort through useless, random noise.

I’m not advocating this, mind you, just making an observation. I could probably turn this into a plausible plot for a cyber-thriller novel, but I’m not a novelist. If any novelist finds this an interesting plot, feel free to run with it.

The news has been filled with pieces about how your internet, telephone and email traffic is being monitored by the NSA. It’s called PRISM. That’s not an acronym, but a descriptive moniker according to Steve Gibson. A prism splits light into its spectrum; PRISM splits the light on fiber optic cables into two paths – one to the internet router and the other to the NSA data collection facility.

Security Now! podcast, Episode 408, “The State of Surveillance (How the NSA’s PRISM program works.),” is a must listen for everyone. Here’s why, in Steve’s own words:

Leo and I remind our listeners that we just had another Microsoft Patch Tuesday. Then I detail and carefully lay down a solid foundation of theory of the operation of the NSA’s PRISM program. This explains EVERYTHING about what the NSA is doing, and how. I even explain how and why the program got its name.

Sophos produces some excellent videos and this one definitely qualifies. I have been saying these things for years, but this video punches home the whys and wherefores of the three biggest wireless security myths. Enjoy!

I have been reading Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World for some time now. Why it took me so long to finally read it, I don’t know – any security geek worth his salt needs the background this book provides. Granted, technology has changed and advanced since this book was first published in 2000, making some of the examples irrelevant in today’s environment, but the basics of security that they illustrate have not.

In Chapter 24, Mr. Schneier outlines and explains security processes in depth and states the obvious that most of us either never think about or take for granted:

Computer insecurity is inevitable. Technology can foil most of the casual attackers. Laws can deter, or at least prosecute, most criminals. But attacks will fall through the cracks. Networks will be hacked. Fraud will be committed. Money will be lost. People will die.

Technology alone cannot save us.

. . .

The only thing reasonable to do is to create processes that accept this reality, and allow us to go about our lives the best we can.

The following are the process principles Mr. Schneier outlines. I’ve printed this list and posted it as a reminder to look at my network with these points in mind when making changes or upgrading things.

Compartmentalize

Secure the Weakest Link

Use Choke Points

Provide Defense in Depth

Fail Securely

Leverage Unpredictability

Embrace Simplicity

Enlist the Users

Assure

Question

If you haven’t read the book, I highly recommend you do so now to get the in-depth take on each of these principles.

We tend to be creatures of habit. For some areas of our lives, that’s a good thing; there’s nothing wrong with establishing healthy eating habits or good home maintenance habits. When it comes to security (both physical security and cyber security), however, habits can be a very bad thing. For instance, if you always park in the exact same spot and take the same route from or to the parking lot at the same times each day, you could become a target for muggers. The solution is to park in a different spot each day – maybe even a different lot, if you can – and vary your route. In other words, be a moving target, be unpredictable.

The same principle applies in cyberspace. You’ve seen those statistics that show how predictable password patterns are (see Password patterns to avoid as one example). Most of us probably also use the same user name (our name or a variation) for everything and some, heaven forbid, the same (predictable) password or password pattern. This makes it relatively easy for hackers to compromise your account. The solution is to use different user names for your various sites and online accounts. This can be as simple as adding numbers to your user name, or tacking on the site name. For example, my login to foo.net could be kenfoo with a random password. Or, it could be kharthun23. Whatever you do, the idea is to be unpredictable.

You’re the Man, the IT guru, the go-to guy where you work. Your cell phone rings in the middle of the night at times. You get emails 24/7. Everything depends on you. You had an assistant, but budget cuts eliminated that position. On your way to work one fine morning, you’re hit by the proverbial bus. Will your successor be able to step in and take over or will he/she find him/her self in the middle of IT Hell?

It happened to me once (not my predecessor’s fault, more the fault of the office manager) and it took me two months to get things figured out. My first day on the job, I was handed a rather rumpled piece of folio paper with some logins and passwords written on it. I took one look at it and for a moment I considered running screaming from the building. Here was a network with several routers, closets full of switches, five servers, an IP phone system, and a complete wireless network. I had the passwords for four of the servers, the hosted email system, and my predecessor’s workstation.

In short order I learned that most of the passwords, save the one for the domain controller and my predecessor’s workstation, were wrong. I found out much later that the office manager apparently lost the instructional write-up she had been given by my predecessor when he left.

Like I said, it took me two months to figure it all out as I dug through old files, stacks of binders and hundreds of my predecessor’s folders filled with documentation (where I finally found the original instructions). Had the office manager not lost the original write-up, the whole process would have taken me less than a week to get up to speed.

Document everything and make sure there are multiple copies. Create a special set of instructions and do what you can to make sure they are not lost. I have a red binder that I keep updated to make a transition easier for my successor.

The only good answers to these goofy security questions we see all the time are outright lies. Perhaps the goofiest question of all is, “What is your mother’s maiden name?” It takes only a casual search to get the answer to that one. Equally as bad (I guess they’re just starting to catch on that maiden name isn’t good) is one I had to supply for my health insurance company, “What is your mother’s middle name?” Then, there’s the name of your first pet, what high school did you attend, etc. These things might enhance security slightly, but a determined hacker is going to have – or get – all the answers.

The solution is to simply lie – invent fictitious names, places, etc. and then store those answers securely in LastPass, RoboForm, or other encrypted forms. Examples:

Mother’s maiden name: pinkelephant.

Mother’s middle name: beerthirty.

First pet name: tyrannosaurus.

High school: alpha centauri

Take a screen shot of all the questions in the lists on those websites that require security questions and invent all the answers. Then, keep the list in a safe place, like your wallet. No one’s going to guess those lies. For the truly paranoid, use a password generator to generate random strings. LastPass has a feature to generate pronounceable strings for use if you’re every asked for an answer over the phone.

No need to use much space to introduce you to Mr. Bruce Schneier; his reputation as a security expert is indisputable. I thank him for being gracious enough to let me re-post his article, “Government Secrets and the Need for Whistleblowers,” which I present here in its entirety and which I support 100 percent. There must be safeguards against a government that is out of control.

Government Secrets and the Need for Whistleblowers

Recently, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That’s everything except the voice content: who called who, where they were, how long the call lasted — for millions of people, both Americans and foreigners. This “metadata” allows the government to track the movements of everyone during that period, and a build a detailed picture of who talks to whom. It’s exactly the same data the Justice Department collected about AP journalists.

The “Guardian” delivered this revelation after receiving a copy of a secret memo about this — presumably from a whistleblower. We don’t know if the other phone companies handed data to the NSA too. We don’t know if this was a one-off demand or a continuously renewed demand; the order started a few days after the Boston bombers were captured by police.

We don’t know a lot about how the government spies on us, but we know some things. We know the FBI has issued tens of thousands of ultra-secret National Security Letters to collect all sorts of data on people — we believe on millions of people — and has been abusing them to spy on cloud-computer users. We know it can collect a wide array of personal data from the Internet without a warrant. We also know that the FBI has been intercepting cell-phone data, all but voice content, for the past 20 years without a warrant, and can use the microphone on some powered-off cell phones as a room bug — presumably only with a warrant.

We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime — deliberately using different codenames for similar programs to stymie oversight and conceal what’s really going on. We know that the NSA is building an enormous computer facility in Utah to store all this data, as well as faster computer networks to process it all. We know the U.S. Cyber Command employs 4,000 people.

We know that the DHS is also collecting a massive amount of data on people, and that local police departments are running “fusion centers” to collect and analyze this data, and covering up its failures. This is all part of the militarization of the police.

Remember in 2003, when Congress defunded the decidedly creepy Total Information Awareness program? It didn’t die; it just changed names and split into many smaller programs. We know that corporations are doing an enormous amount of spying on behalf of the government: all parts.

We know all of this not because the government is honest and forthcoming, but mostly through three backchannels — inadvertent hints or outright admissions by government officials in hearings and court cases, information gleaned from government documents received under FOIA, and government whistleblowers.

There’s much more we don’t know, and often what we know is obsolete. We know quite a bit about the NSA’s ECHELON program from a 2000 European investigation, and about the DHS’s plans for Total Information Awareness from 2002, but much less about how these programs have evolved. We can make inferences about the NSA’s Utah facility based on the theoretical amount of data from various sources, the cost of computation, and the power requirements from the facility, but those are rough guesses at best. For a lot of this, we’re completely in the dark.

And that’s wrong.

The U.S. government is on a secrecy binge. It overclassifies more information than ever. And we learn, again and again, that our government regularly classifies things not because they need to be secret, but because their release would be embarrassing.

Knowing how the government spies on us is important. Not only because so much of it is illegal — or, to be as charitable as possible, based on novel interpretations of the law — but because we have a right to know. Democracy requires an informed citizenry in order to function properly, and transparency and accountability are essential parts of that. That means knowing what our government is doing to us, in our name. That means knowing that the government is operating within the constraints of the law. Otherwise, we’re living in a police state.

We need whistleblowers.

Leaking information without getting caught is difficult. It’s almost impossible to maintain privacy in the Internet Age. The WikiLeaks platform seems to have been secure — Bradley Manning was caught not because of a technological flaw, but because someone he trusted betrayed him — but the U.S. government seems to have successfully destroyed it as a platform. None of the spin-offs have risen to become viable yet. The “New Yorker” recently unveiled its Strongbox platform for leaking material, which is still new but looks good. Wired recently gave the best advice on how to leak information to the press via phone, email, or the post office. The National Whistleblowers Center has a page on national-security whistleblowers and their rights.

Leaking information is also very dangerous. The Obama Administration has embarked on a war on whistleblowers, pursuing them — both legally and through intimidation — further than any previous administration has done. Mark Klein, Thomas Drake, and William Binney have all been persecuted for exposing technical details of our surveillance state. Bradley Manning has been treated cruelly and inhumanly — and possibly tortured — for his more-indiscriminate leaking of State Department secrets.

The Obama Administration’s actions against the Associated Press, its persecution of Julian Assange, and its unprecedented prosecution of Manning on charges of “aiding the enemy” demonstrate how far it’s willing to go to intimidate whistleblowers — as well as the journalists who talk to them.

But whistleblowing is vital, even more broadly than in government spying. It’s necessary for good government, and to protect us from abuse of power.

We need details on the full extent of the FBI’s spying capabilities. We don’t know what information it routinely collects on American citizens, what extra information it collects on those on various watch lists, and what legal justifications it invokes for its actions. We don’t know its plans for future data collection. We don’t know what scandals and illegal actions — either past or present — are currently being covered up.

We also need information about what data the NSA gathers, either domestically or internationally. We don’t know how much it collects surreptitiously, and how much it relies on arrangements with various companies. We don’t know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities. We don’t know whether it deliberately inserts backdoors into systems it wants to monitor, either with or without the permission of the communications-system vendors.

And we need details about the sorts of analysis the organizations perform. We don’t know what they quickly cull at the point of collection, and what they store for later analysis — and how long they store it. We don’t know what sort of database profiling they do, how extensive their CCTV and surveillance-drone analysis is, how much they perform behavioral analysis, or how extensively they trace friends of people on their watch lists.

We don’t know how big the U.S. surveillance apparatus is today, either in terms of money and people or in terms of how many people are monitored or how much data is collected. Modern technology makes it possible to monitor vastly more people — the recent NSA revelations demonstrate that they could easily surveil *everyone* — than could ever be done manually.

Whistleblowing is the moral response to immoral activity by those in power. What’s important here are government programs and methods, not data about individuals. I understand I am asking for people to engage in illegal and dangerous behavior. Do it carefully and do it safely, but — and I am talking directly to you, person working on one of these secret and probably illegal programs — do it.

If you see something, say something. There are many people in the U.S. that will appreciate and admire you.

For the rest of us, we can help by protesting this war on whistleblowers. We need to force our politicians not to punish them — to investigate the abuses and not the messengers — and to ensure that those unjustly persecuted can obtain redress.

Our government is putting its own self-interest ahead of the interests of the country. That needs to change.

Hey, it’s Funny Friday! And I have a very funny video for you (if you consider British dry humour funny – I do). How about distracting hackers from stealing information by titillating them with erotic romance? This was an April Fool’s joke from Sophos in 2010. Watch and enjoy and have a great weekend.

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.